Security Vulnerabilities - CVEs Published In May 2022
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.
CVSS Score
7.5
EPSS Score
0.031
Published
2022-05-03
EmpireCMS 7.5 has a SQL injection vulnerability in AdClass.php
CVSS Score
9.8
EPSS Score
0.002
Published
2022-05-03
In SpringBootMovie <=1.2 when adding movie names, malicious code can be stored because there are no filtering parameters, resulting in stored XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-05-03
A stored cross-site scripting (XSS) vulnerability exists in FUEL-CMS 1.5.1 that allows an authenticated user to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-05-03
Bluecms 1.6 has a SQL injection vulnerability at cooike.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-05-03
Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.
CVSS Score
7.2
EPSS Score
0.003
Published
2022-05-03
A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-05-03
A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.
CVSS Score
7.1
EPSS Score
0.003
Published
2022-05-03
There is a stack overflow vulnerability in the goform/fast_setting_wifi_set function in the httpd service of Tenda ac9 15.03.2.21_cn router. An attacker can obtain a stable shell through a carefully constructed payload
CVSS Score
9.8
EPSS Score
0.004
Published
2022-05-03
There is a stack overflow vulnerability in the /goform/setMacFilterCfg function in the httpd service of Tenda ax12 22.03.01.21_cn router. An attacker can obtain a stable shell through a carefully constructed payload
CVSS Score
9.8
EPSS Score
0.006
Published
2022-05-03